local smb = require "smb" local vulns = require "vulns" local stdnse = require "stdnse" local string = require "string" description = [[ Checks if the target machine is running the Double Pulsar SMB backdoor. Based on the python detection script by Luke Jennings of Countercept. https://github.com/countercept/doublepulsar-detection-script ]] --- -- @usage nmap -p 445 --script=smb-double-pulsar-backdoor -- -- @see smb-vuln-ms17-010.nse -- -- @output -- | smb-double-pulsar-backdoor: -- | VULNERABLE: -- | Double Pulsar SMB Backdoor -- | State: VULNERABLE -- | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- | The Double Pulsar SMB backdoor was detected running on the remote machine. -- | -- | Disclosure date: 2017-04-14 -- | References: -- | https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/ -- | https://github.com/countercept/doublepulsar-detection-script -- |_ https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation author = "Andrew Orr" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"vuln", "safe", "malware"} hostrule = function(host) return smb.get_port(host) ~= nil end -- stolen from smb.lua as timeout needs to be modified to get a response local function send_transaction2(smbstate, sub_command, function_parameters, function_data, overrides) overrides = overrides or {} local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid local header, parameters, data local parameter_offset = 0 local parameter_size = 0 local data_offset = 0 local data_size = 0 local total_word_count, total_data_count, reserved1, parameter_count, parameter_displacement, data_count, data_displacement, setup_count, reserved2 local response = {} -- Header is 0x20 bytes long (not counting NetBIOS header). header = smb.smb_encode_header(smbstate, 0x32, overrides) -- 0x32 = SMB_COM_TRANSACTION2 if(function_parameters) then parameter_offset = 0x44 parameter_size = #function_parameters data_offset = #function_parameters + 33 + 32 end -- Parameters are 0x20 bytes long. parameters = string.pack("